Azure 信息保护经典客户端常见问题Frequently asked questions for the Azure Information Protection classic client

适用 于: Azure 信息保护Office 365*Applies to: Azure Information Protection, Office 365*

*相关 内容: 仅限经典客户端 AIP 统一标签*Relevant for: AIP unified labeling classic client only. 有关详细信息,请参阅 Azure 信息保护的常见问题。 *For more information, see Frequently asked questions for Azure Information Protection.*

本文列出了仅与 Azure 信息保护经典客户端相关的常见问题。This article lists frequently asked questions that are related to the Azure Information Protection classic client only.

备注

为了提供统一且简化的客户体验,Azure 门户中的 Azure 信息保护经典客户端标签管理 将于 2021 年3月31日弃用To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

Azure 信息保护客户端是否只适用于包含分类和标记的订阅?Is the Azure Information Protection client only for subscriptions that include classification and labeling?

否。No. 经典 AIP 客户端还可用于仅包含 Azure Rights Management 服务的订阅,以实现数据保护。The classic AIP client can also be used with subscriptions that include just the Azure Rights Management service, for data protection only.

如果在未安装 Azure 信息保护策略的情况下安装经典客户端,客户端将自动在 仅保护模式下运行,这使用户可以应用 Rights Management 模板和自定义权限。When the classic client is installed without an Azure Information Protection policy, the client automatically operates in protection-only mode, which enables users to apply Rights Management templates and custom permissions.

如果以后购买确实包含分类和标记的订阅,客户端会在下载 Azure 信息保护策略后自动切换到标准模式。If you later purchase a subscription that does include classification and labeling, the client automatically switches to standard mode when it downloads the Azure Information Protection policy.

Windows Server FCI 和 Azure 信息保护扫描程序之间的区别是什么?What's the difference between Windows Server FCI and the Azure Information Protection scanner?

Windows Server 文件分类基础结构在过去一直都有一个选项:对文档进行分类,然后使用 Rights Management 连接器(仅 Office 文档)或 PowerShell 脚本(所有文件类型)保护文档。Windows Server File Classification Infrastructure has historically been an option to classify documents and then protect them by using the Rights Management connector (Office documents only) or a PowerShell script (all file types).

我们现在建议你使用 Azure 信息保护扫描程序We now recommend you use the Azure Information Protection scanner. 扫描程序使用 Azure 信息保护客户端和 Azure 信息保护策略来为文档(所有文件类型)添加标签,然后可以对这些文档进行分类并且还可根据需要保护文档。The scanner uses the Azure Information Protection client and your Azure Information Protection policy to label documents (all file types) so that these documents are then classified and optionally, protected.

这两种解决方案的主要差异是:The main differences between these two solutions:

Windows Server FCIWindows Server FCI Azure 信息保护扫描程序Azure Information Protection scanner
支持的数据存储Supported data stores Windows Server 上的本地文件夹Local folders on Windows Server - Windows 文件共享和网络连接存储- Windows file shares and network-attached storage

- SharePoint Server 2016 和 SharePoint Server 2013。- SharePoint Server 2016 and SharePoint Server 2013. 对于具有对此版本 SharePoint 的延长支持的客户,还支持 SharePoint Server 2010。SharePoint Server 2010 is also supported for customers who have extended support for this version of SharePoint.
操作模式Operational mode 真实数据Real time 系统地对数据存储进行一次或重复爬网Systematically crawls the data stores once or repeatedly
支持的文件类型Supported file types - 默认保护所有文件类型- All file types are protected by default

- 通过编辑注册表,可以从保护配置中排除特定文件类型- Specific file types can be excluded from protection by editing the registry
对文件类型的支持:Support for file types:

- 默认保护 Office 文件类型和 PDF 文档- Office file types and PDF documents are protected by default

- 通过编辑注册表,可以将其他文件类型纳入保护- Additional file types can be included for protection by editing the registry

设置 Rights Management 所有者Setting Rights Management owners

默认情况下,对于 Windows Server FCI 和 Azure 信息保护扫描程序, Rights Management 所有者 设置为保护文件的帐户。By default, for both Windows Server FCI and the Azure Information Protection scanner, the Rights Management owner is set to the account that protects the file.

覆盖默认设置,如下所示:Override the default settings as follows:

  • Windows SERVER FCI:将 Rights Management 所有者设置为所有文件的单个帐户,或者为每个文件动态设置 Rights Management 所有者。Windows Server FCI: Set the Rights Management owner to be a single account for all files, or dynamically set the Rights Management owner for each file.

    若要动态设置 Rights Management 所有者,请使用 -OwnerMail [源文件所有者电子邮件] 参数和值。To dynamically set the Rights Management owner, use the -OwnerMail [Source File Owner Email] parameter and value. 此配置使用文件“所有者”属性中的用户帐户名从 Active Directory 检索用户的电子邮件地址。This configuration retrieves the user's email address from Active Directory by using the user account name in the file's Owner property.

  • Azure 信息保护扫描程序:对于新保护的文件,请通过在扫描程序配置文件中指定 默认所有者 设置,将 Rights Management 所有者设置为指定数据存储中所有文件的单个帐户。Azure Information Protection scanner: For newly protected files, set the Rights Management owner to be a single account for all files on a specified data store, by specifying the -Default owner setting in the scanner profile.

    不支持为每个文件动态设置 Rights Management 所有者,也不会更改以前受保护文件的 Rights Management 所有者。Dynamically setting the Rights Management owner for each file is not supported, and the Rights Management owner is not changed for previously protected files.

    备注

    扫描程序保护 SharePoint 网站和库上的文件时,通过使用 SharePoint 编辑者值来动态地设置每个文件的 Rights Management 所有者。When the scanner protects files on SharePoint sites and libraries, the Rights Management owner is dynamically set for each file by using the SharePoint Editor value.

如何防止他人删除或更改标签?How do I prevent somebody from removing or changing a label?

尽管有一个 策略设置 要求用户指出为什么要降低分类标签、删除标签或删除保护的原因,但此设置不会阻止这些操作。Although there's a policy setting that requires users to state why they are lowering a classification label, removing a label, or removing protection, this setting does not prevent these actions. 若要防止用户删除或更改标签,内容必须已受保护,并且保护权限不向用户授予 "导出" 或 "完全控制" 使用权限To prevent users from removing or changing a label, the content must already be protected and the protection permissions do not grant the user the Export or Full Control usage right

DLP 解决方案和其他应用如何与 Azure 信息保护相集成?How can DLP solutions and other applications integrate with Azure Information Protection?

因为 Azure 信息保护将永久性元数据用于分类(包括明文标签),所以此信息可供 DLP 解决方案和其他应用程序读取。Because Azure Information Protection uses persistent metadata for classification, which includes a clear-text label, this information can be read by DLP solutions and other applications.

有关此元数据的详细信息,请参阅电子邮件和文档中存储的标签信息For more information about this metadata, see Label information stored in emails and documents.

有关将此元数据与 Exchange Online 邮件流规则配合使用的示例,请参阅配置 Azure 信息保护标签的 Exchange Online 邮件流规则For examples of using this metadata with Exchange Online mail flow rules, see Configuring Exchange Online mail flow rules for Azure Information Protection labels.

我能否创建自动包含分类的文档模板?Can I create a document template that automatically includes the classification?

是的。Yes. 可以将标签配置为,应用包含标签名称的页眉或页脚You can configure a label to apply a header or footer that includes the label name. 但如果不满足你的要求,则仅针对 Azure 信息保护经典客户端,你可以创建具有所需格式的文档模板,并将分类添加为字段代码。But if that doesn't meet your requirements, for the Azure Information Protection classic client only, you can create a document template that has the formatting you want and add the classification as a field code.

例如,文档的页眉中可能有一个显示分类的表。As an example, you might have a table in your document's header that displays the classification. 或者,对引用文档分类的简介使用具体的字词。Or, you use specific wording for an introduction that references the document's classification.

若要在文档中添加此域代码,请执行以下操作:To add this field code in your document:

  1. 标记并保存文档。Label the document and save it. 此操作新建可立即用于域代码的元数据字段。This action creates new metadata fields that you can now use for your field code.

  2. 在文档中,将光标置于要添加标签分类的位置,再在“插入”选项卡中依次选择“文本” > “文档部件” > “字段”。In the document, position the cursor where you want to add the label's classification and then, from the Insert tab, select Text > Quick Parts > Field.

  3. 在“字段”对话框中,选择“类别”下拉列表中的“文档信息”。In the Field dialog box, from the Categories dropdown, select Document Information. 然后,选择“字段名称”下拉列表中的“DocProperty”。Then, from the Fields names dropdown, select DocProperty.

  4. 在“属性”下拉列表中,依次选择“敏感度”和“确定”。From the Property dropdown, select Sensitivity, and select OK.

此时,当前标签的分类显示在文档中,并且这个值会在你每次打开文档或使用模板时自动刷新。The current label's classification is displayed in the document and this value will be refreshed automatically whenever you open the document or use the template. 因此,如果标签发生更改,那么对此域代码显示的分类也会在文档中自动更新。So if the label changes, the classification that is displayed for this field code is automatically updated in the document.

使用 Azure 信息保护的电子邮件分类与 Exchange 邮件分类有何不同?How is classification for emails using Azure Information Protection different from Exchange message classification?

交换消息分类是一项较旧的功能,可对电子邮件进行分类,并且独立于 Azure 信息保护标签或应用分类的敏感度标签。Exchange message classification is an older feature that can classify emails and it is implemented independently from Azure Information Protection labels or sensitivity labels that apply classification.

但是,你可以将此较旧的功能与标签集成,以便当用户使用 Outlook web 上的 Outlook 以及使用某些移动邮件应用程序对电子邮件进行分类时,会自动添加标签分类和相应的标签标记。However, you can integrate this older feature with labels, so that when users classify an email by using Outlook on the web and by using some mobile mail applications, the label classification and corresponding label markings are automatically added.

可以使用同一技术将标签用于 Outlook 网页版和这些移动邮件应用程序。You can use this same technique to use your labels with Outlook on the web and these mobile mail applications.

请注意,如果在使用 Exchange Online 的 web 上使用 Outlook,则无需执行此操作,因为这种组合在从 Office 365 Security & 相容性中心、Microsoft 365 安全中心或 Microsoft 合规中心发布敏感度标签时支持内置标签。Note that there's no need to do this if you're using Outlook on the web with Exchange Online, because this combination supports built-in labeling when you publish sensitivity labels from the Office 365 Security & Compliance Center, Microsoft 365 security center, or Microsoft compliance center.

如果无法在 web 上使用 Outlook 内置标签,请参阅此解决方法的配置步骤: 与旧 Exchange 消息分类的集成If you cannot use built-in labeling with Outlook on the web, see the configuration steps for this workaround: Integration with the legacy Exchange message classification

如何配置 Mac 计算机以保护和跟踪文档?How do I configure a Mac computer to protect and track documents?

首先,请确保已使用 https://admin.microsoft.com 上的软件安装链接安装了 Office for Mac。First, make sure that you have installed Office for Mac by using the software installation link from https://admin.microsoft.com. 有关完整说明,请参阅 在电脑或 Mac 上下载并安装或重新安装 Microsoft 365 或 Office 2019For full instructions, see Download and install or reinstall Microsoft 365 or Office 2019 on a PC or Mac.

打开 Outlook 并使用您 Microsoft 365 的工作或学校帐户创建配置文件。Open Outlook and create a profile by using your Microsoft 365 work or school account. 然后,创建新邮件,并执行以下操作来配置 Office,使其可以使用 Azure Rights Management 服务来保护文档和电子邮件:Then, create a new message and do the following to configure Office so that it can protect documents and emails by using the Azure Rights Management service:

  1. 在新邮件的“选项”选项卡上,单击“权限”,然后单击“验证凭据”。In the new message, on the Options tab, click Permissions, and then click Verify Credentials.

  2. 出现提示时,再次指定 Microsoft 365 的工作或学校帐户详细信息,然后选择 " 登录"。When prompted, specify your Microsoft 365 work or school account details again, and select Sign in.

    这将下载 Azure Rights Management 模板,“验证凭据”选项将替换为包括“无限制”、“不要转发”以及为租户发布任何 Azure Rights Management 模板的选项。This downloads the Azure Rights Management templates and Verify Credentials is now replaced with options that include No Restrictions, Do Not Forward, and any Azure Rights Management templates that are published for your tenant. 现在可以取消此新邮件。You can now cancel this new message.

保护电子邮件或文档:在“选项”选项卡上,单击“权限”,然后选择用于保护电子邮件或文档的选项或模板。To protect an email message or a document: On the Options tab, click Permissions and choose an option or template that protects your email or document.

在保护文档之后跟踪文档:在安装了 Azure 信息保护经典客户端的 Windows 计算机上,使用 Office 应用程序或文件资源管理器将文档注册到文档跟踪站点。To track a document after you have protected it: From a Windows computer that has the Azure Information Protection classic client installed, register the document with the document tracking site by using either an Office application or File Explorer. 有关说明,请参阅跟踪和撤销文档For instructions, see Track and revoke your documents. 现在可以从 Mac 计算机使用 Web 浏览器访问文档跟踪站点 (https://track.azurerms.com) 来跟踪和撤销此文档。From your Mac computer, you can now use your web browser to go to the document tracking site (https://track.azurerms.com) to track and revoke this document.

在文档跟踪站点中测试吊销时,显式的消息提示人们仍可在 30 天内访问此文档—该时间段是否可配置?When I test revocation in the document tracking site, I see a message that says people can still access the document for up to 30 days—is this time period configurable?

是的。Yes. 该消息反映了此特定文件的使用许可证This message reflects the use license for that specific file.

如果撤销文件,仅在用户对 Azure Rights Management 服务进行身份验证时才会强制执行此操作。If you revoke a file, that action can be enforced only when the user authenticates to the Azure Rights Management service. 因此,如果文件的使用许可证有效期为 30 天,且用户已经打开过文档,则该用户在使用许可证期间仍继续拥有该文档的访问权限。So if a file has a use license validity period of 30 days and the user has already opened the document, that user continues to have access to the document for the duration of the use license. 使用许可证过期时,用户必须重新进行身份验证,此时由于文件被撤销,因此会拒绝用户访问。When the use license expires, the user must reauthenticate, at which point the user is denied access because the document is now revoked.

保护文档的用户,即 Rights Management 颁发者不受此撤销的限制,始终能够访问其文档。The user who protected the document, the Rights Management issuer is exempt from this revocation and is always able to access their documents.

租户使用许可证有效期的默认值为 30 天,此设置可通过标签或模板中限制性更强的设置进行替代。The default value for the use license validity period for a tenant is 30 days and this setting can be overridden by a more restrictive setting in a label or template. 若要详细了解使用许可证以及如何对其进行配置,请参阅 Rights Management 使用许可证文档。For more information about the use license and how to configure it, see the Rights Management use license documentation.

BYOK 和 HYOK 之间的区别是什么,应何时使用它们?What's the difference between BYOK and HYOK and when should I use them?

Azure 信息保护上下文中出现 自带密钥 (BYOK) 时,则表示应为 Azure Rights Management 保护创建自己的本地密钥。Bring your own key (BYOK) in the context of Azure Information Protection, is when you create your own key on-premises for Azure Rights Management protection. 然后将该密钥传输到 Azure Key Vault 中的硬件安全模块 (HSM),可在其中继续拥有并管理密钥。You then transfer that key to a hardware security module (HSM) in Azure Key Vault where you continue to own and manage your key. 若不执行此操作,Azure Rights Management 保护会使用 Azure 中自动创建并进行管理的密钥。If you didn't do this, Azure Rights Management protection would use a key that is automatically created and managed for you in Azure. 这种默认配置称为“Microsoft 管理”而不是“客户管理”(BYOK 选项)。This default configuration is referred to as "Microsoft-managed" rather than "customer-managed" (the BYOK option).

有关 BYOK 以及是否应为组织选择此密钥拓扑的详细信息,请参阅规划和实现 Azure 信息保护租户密钥For more information about BYOK and whether you should choose this key topology for your organization, see Planning and implementing your Azure Information Protection tenant key.

在 Azure 信息保护的上下文中出现 自留密钥 (HYOK),则表示少量组织的文档或电子邮件自己无法通过存储在云中的密钥进行保护。Hold your own key (HYOK) in the context of Azure Information Protection, is for a few organizations that have a subset of documents or emails that cannot be protected by a key that is stored in the cloud. 对于这些组织来说,即使使用 BYOK 创建和管理密钥,此限制仍然适用。For these organizations, this restriction applies even if they created the key and manage it, using BYOK. 此限制通常是由于法规或符合性问题引起的,并且 HYOK 配置应仅应用于“顶级机密”信息,此信息永远不会在组织外部共享、仅会在内部网络中使用,并且无需通过移动设备访问。The restriction can often be because of regulatory or compliance reasons and the HYOK configuration should be applied to "Top Secret" information only, that will never be shared outside the organization, will only be consumed on the internal network, and does not need to be accessed from mobile devices.

对于这些异常(通常需要保护的内容少于所有内容的 10%),组织可使用本地解决方案 Active Directory Rights Management Services 创建保留在本地的密钥。For these exceptions (typically less than 10% of all the content that needs to be protected), organizations can use an on-premises solution, Active Directory Rights Management Services, to create the key that remains on-premises. 通过此解决方案,计算机可从云中获取其 Azure 信息保护策略,但可使用本地密钥来保护此标识的内容。With this solution, computers get their Azure Information Protection policy from the cloud, but this identified content can be protected by using the on-premises key.

若要深入了解 HYOK 并确保了解其局限性和限制及使用指南,请参阅 AD RMS 保护的自留密钥 (HYOK) 要求和限制For more information about HYOK and to make sure that you understand its limitations and restrictions, and guidance when to use it, see Hold your own key (HYOK) requirements and restrictions for AD RMS protection.

如果我的问题不在这里,我该怎么办?What do I do if my question isn't here?

首先,查看下面列出的常见问题,这些问题特定于分类和标签,或特定于数据保护。First, review the frequently asked questions listed below, which are specific to classification and labeling, or specific to data protection. Azure Rights Management 服务 (Azure RMS) 为 Azure 信息保护提供数据保护技术。The Azure Rights Management service (Azure RMS) provides the data protection technology for Azure Information Protection. Azure RMS 可与分类和标签结合使用,也可单独使用。Azure RMS can be used with classification and labeling, or by itself.

如果你的问题未得到解答,请参阅 Azure 信息保护的信息和支持中列出的链接和资源。If your question isn't answered, see the links and resources listed in Information and support for Azure Information Protection.

此外,我们还为最终用户制作了常见问题解答:In addition, there are FAQs designed for end users: